We did reach out to Netcraft and they have rescanned the site and they confirmed the issue was resolved (email attached).
We run both Jetpack and Wordfence website scans which confirm no malicious code detected or present, we also flushed any cache from cloud flare. Searching for "onload=' (function ()" also did not bring up anything out of the ordinary.
What are other steps we can run? Thanks!